AMENDMENT AND RESPONSE UNDER 37 C.F.R. § 1.116 - EXPEDITED PROCEDURE 

Serial Number: 10/676,23 1 
Filing Date: September 30, 2003 

Title: POLICY AND ATTRIBUTE BASED ACCESS TO A RESOURCE 



IN THE CLAIMS 

Please amend the claims as follows: 

Claims 1-7. (Canceled) 

8. (Currently Amended) A method implemented in a computer-readable medium and for 
executing on a proxy server the method for policy and attribute based access to a resovirce, 

comprising: 

receiving, at the proxy server, a session request for access to a resource, wh e r e in the 
session request is sent from a service and includes alias identity information for a principal, 
wherein the alias identity information includes a random password and a random principal 
identification, the alias identity information is randomly generated for identity information, the 
identity information identifies a true identity for the principal; 

mapping, by the proxy server, ihc alias identity information to the identity information of 
the principal, the identity information associated with the true identity of the principal whereas 
the alias identity information is the random password and the random principal identification and 
the identity information and the true identity of the principal is available to the proxy server but 
not the service or the resotarce; 

authenticating, by the proxy server, the identity information; 

acquiring, by the proxy server, a service contract for the principal, the service, and the 
resource; [[,]] 

obtaining from the service contract selective resource access policies and attributes which 
are permissibly used by the service when accessing the resource on behalf of the principal; 

defining, via the service contract, a tripartite relationship among the principal, the service, 
and the resotarce, the service contract is derived fi-om an identity configuration of the principal^ 
the service contract including security strictures for the tripartite relationship including the 
selective resource access policies and the attributes, the access policies define operations that the 
service can perform on behalf of the principal against the resource and those access policies map 
to the attributes, the attributes define specific data fields defined within the resource; and 
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establishing, by the proxy server, a session with the service, wh e r e in the session is 
controlled by the service contract. 

9. (Previously Presented) The method of claim 8 further comprising accessing, by the 
proxy server, the identity configuration for the principal in order to acquire the selective resource 
access policies and attributes included within the service contract. 

10. (Previously Presented) The method of claim 8 fiirther comprising denying, by the proxy 
sever, access attempts made by the service during the session when the access attempts are not 
included within the service contract. 

1 1 . (Previously Presented) The method of claim 8 further comprising terminating, by the 
proxy server, the session when an event is detected that indicates the service contract is 
compromised or has expired. 

12. (Previously Presented) The method of claim 8 fiirther comprising establishing, by the 
proxy sever, the service contract with the principal prior to receiving the session request. 

13. (Previously Presented) The method of claim 12 further comprising reusing, by the proxy 
sever, the service contract to establish one or more additional sessions with the service, wherein 
the one or more additional sessions are associated with one or more additional session requests 
made by the service. 

14. (Original) The method of claim 12 wherein the establishing further includes establishing 
the service contract with the principal in response to a redirection operation performed by a 
proxy that intercepts a browser request issued from the principal to the service for purposes of 
accessing the resoiarce. 
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21 . (Currently Amended) A policy and attribute based resource session manager, residing in 
a computer-accessible medium and for executing on a proxy server, comprising instructions for 
establishing a session with a resource, the instructions when executed performing the method of: 

receiving, at the proxy server, aUas identity information from a service, wh e r e in the alias 
identity information is associated with a principal, and wherein the alias identity information 
includes a random password and a random principal identification, the alias identity information 
is randomly generated for principal identity information of the principal and the principal 
identity information identifies a true identity of the principal; 

requesting, by the proxy server, a mapping of the ahas identity information to the 
principal identity information, the principal identity information associated with the true identity 
of the principal whereas the alias identity information is the random password and the random 
principal identification and the principal identity information and the true identity of the 
principal is available to the proxy server but not the service or the resource; 

requesting, by the proxy server, authenticating of the identity information; 

requesting, by the proxy server, a service contract for the principal, the service and a 
resource, wherein the service contract includes selective resource access pohcies and attributes, 
the service contract is derived from an identity configuration; 

defining, via, the service contract a tripartite relationship among the principal, the service, 
and the resource , the service contract including security strictures for the tripartite relationship 
including the selective resource access policies and the attributes, the access policies define 
operations that the service can perform on behalf of the principal against the resource and those 
access policies map to the attributes, the attributes define specific data fields defined within the 
resource : and 

establishing, by the proxy server, a session with the service and the resource, wh e r e in the 
session is controlled by the service contract. 

22. (Previously Presented) The policy and attribute based resource session manager of claim 
21 having instructions fiarther comprising, permitting, at the proxy server, the service to 
indirectly access an identity store which represents the resource, and wherein the identity store 
includes secure information related to the principal. 
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23. (Previously Presented) The policy and attribute based resource session manager of claim 
21 having instructions further comprising terminating, at the proxy server, the session when the 
service contract expires or is compromised. 

24. (Original) The policy and attribute based resource session manager of claim 2 1 , wherein 
the requesting of the mapping further includes interacting with an alias translator. 

25 . (Original) The policy and attribute based resource session manager of claim 2 1 , wherein 
the requesting of authentication flirther includes interacting with an identification authenticator. 

26. (Previously Presented) The policy and attribute based resource session manager of claim 
21 having instructions further comprising managing, at the proxy server, the session by acting as 
an intermediary between the service and a legacy Lightweight Directory Access Protocol 
(LDAP) application which has access privileges to the resource. 

27. (Original) The policy and allribulc based resource session manager of claim 26, wherein 
the receiving further includes intercepting a session request that is issued from the service for the 
legacy LDAP application, wherein the session request includes the alias identity information. 

28. (Previously Presented) The policy and attribute based resource session manager of claim 
27 having instructions fiirther comprising managing, at the proxy server, the session with respect 
to the service as if the policy based resource session manager were the legacy LDAP application. 



29. (Cancelled). 



